Looking for router advice before moving to AT&T fiber

Gene

Active Member
Jan 27, 2016
166
29
28
38
Try 115200. It was one or the other.
Yep that was it baud rate of 115200 worked. I now have valid certs and mfg.dat for the 210. I must be doing something wrong in supplicant mode of pfsense. It hangs at waiting for eap to authorize when using the script. Bah
 

mb300sd

Active Member
Aug 1, 2016
197
74
28
30
Skip the script and do

sudo /sbin/wpa_supplicant -dd -Dwired -ieth0 -c wpa_supplicant.conf

on the command line, should tell you where it's hanging. Make sure you didn't get any 0-byte .cer files, it seems the 210 linux doesn't unmount the partition correctly. Running sync before unmounting might help.
 

Gene

Active Member
Jan 27, 2016
166
29
28
38
Yep all 0 bytes on the .der files ill give sync a shot. The mfg.dat came through ok

I copied over the files a few different ways. That and typeing "sync" before the umount seemed to fix it. So finally have the valid .der files
 
Last edited:

mb300sd

Active Member
Aug 1, 2016
197
74
28
30
The der files are universal, so you can use the ones from the 589 with the mfg.dat from the 210 if you need to.
 

Kev

Active Member
Feb 16, 2015
433
77
28
37
Skip the script and do

sudo /sbin/wpa_supplicant -dd -Dwired -ieth0 -c wpa_supplicant.conf

on the command line, should tell you where it's hanging. Make sure you didn't get any 0-byte .cer files, it seems the 210 linux doesn't unmount the partition correctly. Running sync before unmounting might help.
So are you saying you don't need the script to create a netgraph interface in pfSense if you are doing wpa_supplicant?

Cheers,
Kevin
 

mb300sd

Active Member
Aug 1, 2016
197
74
28
30
So are you saying you don't need the script to create a netgraph interface in pfSense if you are doing wpa_supplicant?

Cheers,
Kevin
Not sure - I'm not running pfsense. But the wpa_supplicant alone should tell you why it hangs. I think the netgraph had something to do with vlan 0 on bsd, so you probably need it to actually access the internet.
 

Kev

Active Member
Feb 16, 2015
433
77
28
37
OK, so I finally got WPA authenticated using a sandbox pFSenese install on my ESXI server and I passed one port over. igb0 is connected to my ONT and i'm trying to get a DHCP address on ngeth0. I had to fix the pfatt.sh script to run wpa_supplicant on the ONT (igb0) instead of ngeth0 because WPA packets don't need tagging with VLAN0. After wpa_cli status says i'm authenticated, I see DHCP requests from mac address that matches my RG but i see no replies. I see the traffic on ngeth0 with no tags and igb0 with VLAN0, P0 tagging so everything seems to work.

Now i'm pretty much stuck with the WPA authenticated but don't see any DHCP replies. I wonder if the ONT is really tagging all traffic with VLAN0?
 

das1996

New Member
Sep 4, 2018
22
2
3
^^You shouldn't be mixing the wpa_supplicant method with netgraph. Get rid of all the netgraph stuff and retest.
 

Kev

Active Member
Feb 16, 2015
433
77
28
37
I thought Netgraph was still needed to tag the traffic with vlan0 priority 0 traffic and there is no way to do that in pfsense without Netgraph.
 

das1996

New Member
Sep 4, 2018
22
2
3
If running bare metal, you need a dumb switch between the ont and pfsense, but 802.1x auth does work. Under esxi no dumb switch is needed. Such was my experience in testing (under esxi).
 

Kev

Active Member
Feb 16, 2015
433
77
28
37
Hrm, somehow you are right. In ESXI, I just added a new e1000e interface and connected the ONT to it and ran wpa_supplicant and it authorized. When I was using Netgraph, I could see tagged traffic but it looks like esxi vswitch might just strip these tags off and everything is okay. I got dhcpv4 and dhcpv6 going.

Now I have to figure out how to add my /29 static addresses.

Oh, I tried vmxnet3 adapter and it didn’t authorize. I might have to go back and check on this one.
 

marcoi

Well-Known Member
Apr 6, 2013
1,392
220
63
Gotha Florida
I got the static ip finally working in pfsense. I believe. Lol

I created an interface called staticIPs.
I assigned it my last usable address in block which for me was .70 /29 (i have an 8 static block)
I also added under the static IPv4 gateway the broadcast IP which for me was .71

On my Sophos UTM, i manually configured the WAN IP to .65 /29 with gateway of .70
 

Kev

Active Member
Feb 16, 2015
433
77
28
37
How does it know to route on the wan interface if a new static interface is created?

I’m thinking ip alias or something else on the wan interface.
 

marcoi

Well-Known Member
Apr 6, 2013
1,392
220
63
Gotha Florida
@Kev Not sure if i am answering your question but the way i have it, i have a FW rule on WAN to allow traffic in on .65 IP and Port 7443
The rule is setup as source =any / Dest = single host and .65 IP. Dest Port =other 7443.
Under the StaticIP i have rule to allow all traffic
Source = StaticIP / Dest = any

I dont have any alias setup.

With the Configuration i have now, any pc connected to my Sophos UTM is now showing IP address of .65 on whoami vs before i got the standard DHCP IP address.

Hope that helps.
 

mb300sd

Active Member
Aug 1, 2016
197
74
28
30
Doing some server upgrades. The Hyper-V switch in Server 2019 now supports passing through 802.1x, so no more need to do DDA to the VM.

802.1x Support with the Hyper-V switch is here! - Working Hard In IT

You just need 1 registry entry and reboot.
Code:
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CURRENTControlSet\Services\vmsmp\parameters” /v 8021xEnabled /t REG_DWORD /d 1 /f
Apparently the Intel X722 adapter on my new system strips vlan 0 tags on it's own. It happened with both PCIe passthrough and with the HV switch. Thankfully AT&T doesn't seem to care if you send the outgoing packets untagged. I didn't want to waste a PCIe slot for a different NIC.
 

fohdeesha

Kaini Industries
Nov 20, 2016
1,855
1,647
113
29
fohdeesha.com
Thankfully AT&T doesn't seem to care if you send the outgoing packets untagged.
well that's quite the development...I was really wanting to terminate ATT's fiber right on my ICX6610's so I don't need another linux box/vm and all that crap just to terminate it - the brocades will take a GPON SFP and will do 802.1x authentication and termination right onboard - however I ruled it out because they will not allow you to tag packets on vlan 0. Your discovery makes me wonder if it's worth trying now - the big question is fastiron's treatment of packets coming in tagged with vlan0. only one way to find out I guess
 

mb300sd

Active Member
Aug 1, 2016
197
74
28
30
From what I can tell from the 802.1p spec, vlan 0 means no vlan but uses the tag for the QoS portion. Seems to be how AT&T's upstream equipment is handling it. Maybe the ICX6610 will strip the tag automatically as well for incoming packets? I'd try sending tagged frames in with Linux and see how they come out another port.

Please let me know if you can get a GPON SFP working. I worked out how to clone the SLID and serial number on the ONT, but could never get mine to link up. Maybe it was just an incompatible model. I have way too many firewall rules to want to use a L3 switch as my main router, but getting rid of non-rackable bits makes the place look nicer.
 

fohdeesha

Kaini Industries
Nov 20, 2016
1,855
1,647
113
29
fohdeesha.com
It definitely wouldn't be used as the main router, just terminating it from GPON to my WAN vlan that gets passed to my hypervisor cluster where my actual routers sit. Would make it a lot easier if I could handle the gpon and 802.1x in hardware on a switch and just hand off a regular vlan like I already am (DOCSIS in this case), but I think it may be a while until I get the free time to test. What switch did you test with? I thought I remembered reading others using generic GPON SFP optics out of the box without needing to clone any serials or anything like that
 

mb300sd

Active Member
Aug 1, 2016
197
74
28
30
I had it in a Mellanox CX3. Might give it another shot at the other house and see if I can see any packets with it plugged into the 6610. If I can even find where the SFP went.
 

mb300sd

Active Member
Aug 1, 2016
197
74
28
30
It does appear that the ICX6610 removes the vlan 0 tag. I just did a simple "arping -i eth0.0 10.1.1.103 -S 10.1.1.153" and I can see the packets in Wireshark on my untagged interfaces.
 
  • Like
Reactions: fohdeesha